b'OFFICE OF AUDIT                                      DRAFT\nREGION   8\n   For Discussion and Comment Only - Subject to Review and Revision\nDENVER, CO\n\n\n\n\n                Helena Housing Authority, Helena, MT\n\n                     Housing Choice Voucher Program\n\n\n\n\n  2014-DE-1002                                                        SEPTEMBER 25, 2014\n\x0c                                                                    Issue Date: September 25, 2014\n\n                                                                    Audit Report Number: 2014-DE-1002\n\n\n\n\nTO:            Ann Roman, Director, Denver Office of Public and Indian Housing, 8APH\n\n               //signed//\nFROM:          Ronald J. Hosking, Regional Inspector General for Audit, 8AGA\n\nSUBJECT:       A Former Employee of the Helena Housing Authority, Helena, MT, Improperly\n               Released Personally Identifiable Information\n\n\n    Attached is the U.S. Department of Housing and Urban Development (HUD), Office of\nInspector General\xe2\x80\x99s (OIG) final results of our review of a hotline complaint alleging the\nimproper release of housing choice voucher holders\xe2\x80\x99 personally identifiable information outside\nthe Helena Housing Authority.\n\n    HUD Handbook 2000.06, REV-4, sets specific timeframes for management decisions on\nrecommended corrective actions. For each recommendation without a management decision,\nplease respond and provide status reports in accordance with the HUD Handbook. Please furnish\nus copies of any correspondence or directives issued because of the audit.\n\n    The Inspector General Act, Title 5 United States Code, section 8M, requires that OIG post its\npublicly available reports on the OIG Web site. Accordingly, this report will be posted at\nhttp://www.hudoig.gov.\n\n   If you have any questions or comments about this report, please do not hesitate to call me at\n913-551-5870.\n\n\n\n\n                                                Office of Audit Region 8\n                                   1670 Broadway, 24th Floor, Denver, CO 80202\n                                      Phone (303) 672-5452, Fax (303) 672-5006\n                          Visit the Office of Inspector General Web site at www.hudoig.gov.\n\x0c                                           September 25, 2014\n                                           A Former Employee of the Helena Housing Authority,\n                                           Helena, MT, Improperly Released Personally Identifiable\n                                           Information\n\n\n\nHighlights\nAudit Report 2014-DE-1002\n\n\n\n What We Audited and Why                    What We Found\n\nWe received a hotline complaint            A former Authority employee improperly released\nalleging that a former employee of the     personally identifiable information outside the\nHelena Housing Authority, Helena, MT,      Authority. The employee sent at least seven emails\nimproperly released housing choice         containing housing choice voucher holders\xe2\x80\x99 personally\nvoucher holders\xe2\x80\x99 personally identifiable   identifiable information, including Social Security\ninformation outside the Authority. Our     numbers and other personal information such as\nobjective was to determine whether the     household income, to the employee\xe2\x80\x99s personal email\nallegation had merit.                      address and the work email address of a friend who\n                                           worked for one of the Authority\xe2\x80\x99s contractors.\n\n What We Recommend\n\nWe recommend that the Director of the\nDenver Office of Public and Indian\nHousing require the Montana\nDepartment of Commerce and the\nAuthority to consult their legal counsel\nto determine whether they are required\nto inform those voucher holders of the\nbreach and if so, to notify the voucher\nholders.\n\x0c                           TABLE OF CONTENTS\n\nBackground and Objective                                                3\n\nResults of Audit                                                        4\n      The Former Employee Improperly Released Personally Identifiable\n      Information Outside the Authority\n\nScope and Methodology                                                   6\n\nInternal Controls                                                       7\n\nAppendix                                                                8\n      Auditee Comments\n\n\n\n\n                                           2\n\x0c                     BACKGROUND AND OBJECTIVES\n\nThe Helena Housing Authority was established on October 1, 1938, under the requirements of\nSection 7-15-44, Montana Code Annotated. A board of seven commissioners appointed by the\nmayor of Helena, MT, governs the Authority. The board determines Authority policies and\nmonitors the Authority\xe2\x80\x99s financial and operational success. Its mission is to provide safe and\naffordable housing and related services to eligible low-income families, the elderly, and the\ndisabled.\n\nThe Authority receives Federal funds from the U.S. Department of Housing and Urban\nDevelopment (HUD) to administer its Housing Choice Voucher program. This program is the\nFederal Government\xe2\x80\x99s major program for assisting very low-income families, the elderly, and the\ndisabled in affording decent, safe, and sanitary housing in the private market.\n\nThe Authority also assists the State of Montana Department of Commerce with the\nadministration of the State\xe2\x80\x99s housing choice vouchers under a yearly service agreement. The\nagreement applies to the State\xe2\x80\x99s housing choice vouchers issued within the geographic\nboundaries of Broadwater, Jefferson, and Lewis and Clark Counties in Montana.\n\nThe Authority manages 366 public housing units and has 345 vouchers, not including the State\xe2\x80\x99s\nvouchers.\n\nWe initiated a review of the Authority due to an allegation of a potential breach of housing\nchoice voucher holders\xe2\x80\x99 personally identifiable information.\n\nOur objective was to determine whether a former housing authority employee improperly\nreleased housing choice voucher holders\xe2\x80\x99 personally identifiable information outside the\nAuthority.\n\n\n\n\n                                                3\n\x0c                                RESULTS OF AUDIT\n\n\nA Former Employee Improperly Released Personally Identifiable\nInformation Outside the Authority\nWe reviewed an allegation contained in a hotline complaint that a former employee of the\nAuthority improperly released housing choice voucher holders\xe2\x80\x99 personally identifiable\ninformation outside the Authority. We substantiated the allegation.\n\n\n Personally Identifiable Information\n Released\n\n              The hotline complaint alleging that a former employee improperly released\n              personally identifiable information outside the Authority had merit. We found\n              seven emails containing housing choice voucher holders\xe2\x80\x99 personally identifiable\n              information that were improperly sent by a former employee outside the\n              Authority. The released emails contained many instances of program\n              participants\xe2\x80\x99 contact information, including Social Security numbers and other\n              personal information such as household income. The former employee sent the\n              emails to the employee\xe2\x80\x99s personal email address and the work email address of a\n              friend who worked for one of the Authority\xe2\x80\x99s contractors.\n\n              The former employee certified to the receipt and understanding of Authority and\n              State of Montana privacy policies before sending the emails. These policies\n              require protection of client privacy as well as compliance with all applicable State\n              and Federal laws that relate to the receipt of HUD or other government agency\n              funds.\n\n              The former employee and the employee\xe2\x80\x99s friend told us that they did not share or\n              make public any client personally identifiable information. They further stated\n              that they did not use the information for personal gain. The former employee\n              stated that the information was sent to the employee\xe2\x80\x99s personal email to protect\n              the employee from questions the Authority may have had or adverse actions the\n              Authority may have taken following the employee\xe2\x80\x99s termination of employment.\n\n              We did not find an indication that the former employee shared or profited from\n              the released personally identifiable information. In addition, since the former\n              employee did not obtain the information from a HUD system, there was no\n              violation of the Privacy Act (see 5 U.S.C. (United States Code) 552(a)). Because\n              the former employee obtained the personally identifiable information from a State\n              of Montana system and a State-administered program, the Authority and the State\n              should consult with their legal offices to determine the proper course of action.\n\n\n                                               4\n                                                \xc2\xa0\n\x0c          We told the Authority which emails contained client personally identifiable\n          information to assist in its efforts to respond appropriately.\n\nRecommendations\n\n          We recommend that the Director of the Denver Office of Public and Indian\n          Housing require the Montana Department of Commerce and the Authority to\n\n          1A.     Consult their legal counsel to determine whether the employee violated the\n                  State\xe2\x80\x99s privacy laws. If so, consider taking action against the former\n                  employee.\n\n          1B.     Consult their legal counsel to determine whether they are required to\n                  inform voucher holders of the breach and if so, to notify those voucher\n                  holders.\n\n\n\n\n                                           5\n                                            \xc2\xa0\n\x0c                         SCOPE AND METHODOLOGY\n\nOur audit covered the period January 1, 2012, through February 28, 2014. We performed our\nonsite work from April 2014 to June 2014 at the Authority offices located at 812 Abbey Street,\nHelena, MT.\n\nWe reviewed Authority policies and proceedures to obtain an understanding of the program and\nthe auditee. We interviewed current and former staff at the Authority, one of the Authority\xe2\x80\x99s\ncontractors, and officials at the State of Montana Department of Commerce, Division of\nHousing. We reviewed all relevant emails and other written communications originating from\nand received by the Authority during our audit period. We did not select a sample of tenant files\nor perform file reviews to support our finding.\n\nWe did not use auditee computer-generated data as audit evidence or to support our audit\nconclusions. We used computer-generated documentation obtained from HUD and the auditee\nfor background information purposes. We based all of our conclusions on source documentation\nreviewed during the audit.\n\nWe conducted the audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjective(s). We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objective.\n\n\n\n\n                                                6\n                                                \xc2\xa0\n\x0c                              INTERNAL CONTROLS\n\nInternal control is a process adopted by those charged with governance and management,\ndesigned to provide reasonable assurance about the achievement of the organization\xe2\x80\x99s mission,\ngoals, and objectives with regard to\n\n   \xef\x82\xb7   Effectiveness and efficiency of operations,\n   \xef\x82\xb7   Reliability of financial reporting, and\n   \xef\x82\xb7   Compliance with applicable laws and regulations.\n\nInternal controls comprise the plans, policies, methods, and procedures used to meet the\norganization\xe2\x80\x99s mission, goals, and objectives. Internal controls include the processes and\nprocedures for planning, organizing, directing, and controlling program operations as well as the\nsystems for measuring, reporting, and monitoring program performance.\n\n\n Relevant Internal Controls\n\n               We determined that the following internal controls were relevant to our audit\n               objective:\n\n               \xef\x82\xb7      Controls to ensure the safeguarding of personally identifiable information.\n\n\n               We assessed the relevant controls identified above.\n\n               A deficiency in internal control exists when the design or operation of a control does\n               not allow management or employees, in the normal course of performing their\n               assigned functions, the reasonable opportunity to prevent, detect, or correct (1)\n               impairments to effectiveness or efficiency of operations, (2) misstatements in\n               financial or performance information, or (3) violations of laws and regulations on a\n               timely basis.\n\n               We evaluated internal controls related to the audit objective in accordance with\n               generally accepted government auditing standards. Our evaluation of internal\n               controls was not designed to provide assurance regarding the effectiveness of the\n               internal control structure. Accordingly, we do not express an opinion on the\n               effectiveness of the Authority\xe2\x80\x99s related internal controls.\n\n\n\n\n                                                 7\n                                                  \xc2\xa0\n\x0c                                       APPENDIX\n\n\n                              AUDITEE COMMENTS\n\nThe Auditee chose not to provide comments to this report.\n\n\n\n\n                                               8\n                                               \xc2\xa0\n\x0c'